Q&As

When should I delete personal data?

read titleRead full title
Produced in partnership with Ashley Roughton of Ipchambers.eu
Published on LexisPSL on 04/05/2016

The following Information Law Q&A produced in partnership with Ashley Roughton of Ipchambers.eu provides comprehensive and up to date legal information covering:

  • When should I delete personal data?
  • The position under the EU General Data Protection Regulation (GDPR)

Eight principles for handling personal information form the core of the Data Protection Act 1998 (DPA 1998) and any person or organisation that handles personal data must comply with them. The fifth data protection principle concerns the retention of personal data. It states that:

Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

Thus, although the DPA 1998 does not set out any specific time limits for retaining personal data, one is not permitted to keep personal data just because one wants to and the information is no longer in any way relevant. In its guidance on the fifth data protection principle, the Information Commissioner’s Office (ICO) suggests that in practice you should:

  1. review the length of time they keep personal data

  2. consider the purpose or purposes they hold the information for in deciding whether (and for how long) to retain it

  3. securely delete information that is no longer needed for this purpose or these purposes, and

  4. update, archive or securely delete information if it goes out of date

In addition to the above, having prudent policies and objective justifications which, in both cases, are documented is recommended.

Personal data will need to be

Popular documents